Jacek, there isn't a direct way at the moment to get historical data on which user/ appKey was authenticated to connect to a Remote Thing.
With that being said, one thing you can try is exporting your Remote Thing, open the xml, and look under the 'ConfigurationChange' section. That has historical information on when it was created, who modified it etc.
Unfortuntally I will find only entity info there, not information about the credentials (appkey) that was used to connect the device. I am digging deeply in the platform but it seems that there is no way to achieve it besides broadcasting the appkey as a additional remote property directly from the agent.
I think it would be great improvement to introduce funcionality which could determine the appkey that was used in order to connect device via WS.
The plan is to separate Thingworx users with Organizations, so created Thing will be only visible for the user that are assigned to the same Organizations (and all users from given organization are going to use shared appKey). So there is no way that user from other organization will even see Things that are broadcasting appkey. You think it is secure enough?
I still don't like the idea of storing appKey on property - what if user changes organisation? What if user demoes application to somebody from outside of organization and 3rd party can grab the appKey value?
What about following - on the Agent side calculate some sort of a hash of the appKey. It must be one directional, deterministic hash (no way to de-code original appKey).
On the Platform have a mapping between hashes and usernames.
You mentioned that you have 1 appKey per organization. So this mapping table will not be large and should be easy to maintain. Flow:
1) create new Org
2) generate appKey for org user
3) generate hash
4) add hash to map (hash, org_user)
When new Thing is registered and the hash value is transmitted from the device, do a lookup and store username on 'registeredBy' property or similar.
Worst case scenario you expose username to 3rd party but that is not enough to perform attack.
As Maciej noted, this would be a big security risk. You can log into ThingWorx with just the appKey, and based on the permissions set (for that user/ appKey), it would be pretty easy to change anything.
With exporting the Thing, you can see what user accessed it. An appKey is created with a user context, so you will have an idea what 'user' was used, but not from an appKey standpoint.